[Security Solution] OpenAPI linter

package.json

@@ -1306,6 +1306,7 @@
     "@octokit/rest": "^16.35.0",
     "@openpgp/web-stream-tools": "^0.0.10",
     "@parcel/watcher": "^2.1.0",
+    "@redocly/cli": "^1.6.0",
     "@storybook/addon-a11y": "^6.5.16",
     "@storybook/addon-actions": "^6.5.16",
     "@storybook/addon-controls": "^6.5.16",

packages/kbn-openapi-generator/index.ts

@@ -6,5 +6,6 @@
  * Side Public License, v 1.
  */
 
+export * from './src/openapi_linter';
 export * from './src/openapi_generator';
 export * from './src/cli';

packages/kbn-openapi-generator/redocly_linter/config.yaml

@@ -0,0 +1,27 @@
+# Recommended Redocly CLI ruleset https://redocly.com/docs/cli/rules/recommended/#recommended-ruleset
+# Redocly CLI custom plugins https://redocly.com/docs/cli/custom-plugins/
+plugins:
+  - extra_linter_rules_plugin.js
+
+rules:
+  spec: error
+  spec-strict-refs: warn
+  no-path-trailing-slash: error
+  no-identical-paths: error
+  no-ambiguous-paths: warn
+  no-unresolved-refs: error
+  no-enum-type-mismatch: error
+  component-name-unique: error
+  path-declaration-must-exist: error
+  path-not-include-query: error
+  path-parameters-defined: warn
+  operation-description: warn
+  operation-2xx-response: error
+  operation-4xx-response: warn
+  operation-operationId: error
+  operation-operationId-unique: error
+  operation-summary: warn
+  operation-operationId-url-safe: error
+  operation-parameters-unique: error
+  boolean-parameter-prefixes: warn
+  extra-linter-rules-plugin/valid-x-modify: error

packages/kbn-openapi-generator/redocly_linter/extra_linter_rules_plugin.js

@@ -0,0 +1,49 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+const KNOWN_X_MODIFY_VALUES = ['partial', 'required', 'requiredOptional'];
+
+function ValidXModify() {
+  return {
+    any: {
+      leave(node, ctx) {
+        if (typeof node !== 'object' || !('x-modify' in node)) {
+          return;
+        }
+
+        if (!KNOWN_X_MODIFY_VALUES.includes(node['x-modify']))
+          ctx.report({
+            message: `Only ${KNOWN_X_MODIFY_VALUES.join(', ')} can be used for x-modify`,
+            location: ctx.location.child('x-modify'),
+          });
+      },
+    },
+    ref: {
+      leave(node, ctx) {
+        if (typeof node !== 'object' || !('x-modify' in node)) {
+          return;
+        }
+
+        if (!KNOWN_X_MODIFY_VALUES.includes(node['x-modify']))
+          ctx.report({
+            message: `Only ${KNOWN_X_MODIFY_VALUES.join(', ')} can be used for x-modify`,
+            location: ctx.location.child('x-modify'),
+          });
+      },
+    },
+  };
+}
+
+module.exports = {
+  id: 'extra-linter-rules-plugin',
+  rules: {
+    oas3: {
+      'valid-x-modify': ValidXModify,
+    },
+  },
+};

packages/kbn-openapi-generator/src/cli.ts

@@ -31,6 +31,11 @@ export function runCli() {
             default: 'zod_operation_schema' as const,
             choices: AVAILABLE_TEMPLATES,
           })
+          .option('skipLinting', {
+            describe: 'Whether linting should be skipped',
+            type: 'boolean',
+            default: false,
+          })
           .showHelpOnFail(false),
       (argv) => {
         generate(argv).catch((err) => {

packages/kbn-openapi-generator/src/openapi_generator.ts

@@ -17,6 +17,7 @@ import { fixEslint } from './lib/fix_eslint';
 import { formatOutput } from './lib/format_output';
 import { getGeneratedFilePath } from './lib/get_generated_file_path';
 import { removeGenArtifacts } from './lib/remove_gen_artifacts';
+import { lint } from './openapi_linter';
 import { getGenerationContext } from './parser/get_generation_context';
 import type { OpenApiDocument } from './parser/openapi_types';
 import { initTemplateService, TemplateName } from './template_service/template_service';
@@ -25,10 +26,18 @@ export interface GeneratorConfig {
   rootDir: string;
   sourceGlob: string;
   templateName: TemplateName;
+  skipLinting?: boolean;
 }
 
 export const generate = async (config: GeneratorConfig) => {
-  const { rootDir, sourceGlob, templateName } = config;
+  const { rootDir, sourceGlob, templateName, skipLinting } = config;
+
+  if (!skipLinting) {
+    await lint({
+      rootDir,
+      sourceGlob,
+    });
+  }
 
   console.log(chalk.bold(`Generating API route schemas`));
   console.log(chalk.bold(`Working directory: ${chalk.underline(rootDir)}`));

packages/kbn-openapi-generator/src/openapi_linter.ts

@@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+/* eslint-disable no-console */
+
+import { resolve } from 'path';
+import globby from 'globby';
+import execa from 'execa';
+import chalk from 'chalk';
+import { REPO_ROOT } from '@kbn/repo-info';
+
+export interface LinterConfig {
+  rootDir: string;
+  sourceGlob: string;
+}
+
+export const lint = async (config: LinterConfig) => {
+  const { rootDir, sourceGlob } = config;
+
+  const sourceFilesGlob = resolve(rootDir, sourceGlob);
+  const schemaPaths = await globby([sourceFilesGlob]);
+
+  console.log(chalk.bold(`Linting API route schemas`));
+
+  try {
+    await execa(
+      './node_modules/.bin/redocly',
+      [
+        'lint',
+        '--config=packages/kbn-openapi-generator/redocly_linter/config.yaml',
+        ...schemaPaths,
+      ],
+      {
+        cwd: REPO_ROOT,
+        stderr: process.stderr,
+        stdout: process.stdout,
+      }
+    );
+  } catch {
+    throw new Error('Linter failed');
+  }
+};

src/dev/license_checker/config.ts

@@ -73,7 +73,7 @@ export const LICENSE_ALLOWED = [
 
 // The following list only applies to licenses that
 // we wanna allow in packages only used as dev dependencies
-export const DEV_ONLY_LICENSE_ALLOWED = ['MPL-2.0'];
+export const DEV_ONLY_LICENSE_ALLOWED = ['MPL-2.0', '(MPL-2.0 OR Apache-2.0)'];
 
 // there are some licenses which should not be globally allowed
 // but can be brought in on a per-package basis

src/dev/yarn_deduplicate/index.ts

@@ -16,7 +16,7 @@ const yarnLock = readFileSync(yarnLockFile, 'utf-8');
 const output = fixDuplicates(yarnLock, {
   useMostCommon: false,
   excludeScopes: ['@types'],
-  excludePackages: ['axe-core', '@babel/types'],
+  excludePackages: ['axe-core', '@babel/types', 'csstype'],
 });
 
 writeFileSync(yarnLockFile, output);

x-pack/plugins/osquery/scripts/openapi/generate.js

@@ -17,4 +17,6 @@ generate({
   rootDir: OSQUERY_ROOT,
   sourceGlob: './**/*.schema.yaml',
   templateName: 'zod_operation_schema',
+  // TODO: Fix lint errors
+  skipLinting: true,
 });

x-pack/plugins/security_solution/common/api/entity_analytics/asset_criticality/create_asset_criticality.schema.yaml

@@ -12,6 +12,7 @@ servers:
 paths:
   /internal/asset_criticality:
     post:
+      operationId: AssetCriticalityCreateRecord
       summary: Create Criticality Record
       requestBody:
         required: true
@@ -27,4 +28,4 @@ paths:
               schema:
                 $ref: './common.schema.yaml#/components/schemas/AssetCriticalityRecord'
         '400':
-          description: Invalid request
+          description: Invalid request

x-pack/plugins/security_solution/common/api/entity_analytics/asset_criticality/delete_asset_criticality.schema.yaml

@@ -12,6 +12,7 @@ servers:
 paths:
   /internal/asset_criticality:
     delete:
+      operationId: AssetCriticalityDeleteRecord
       summary: Delete Criticality Record
       parameters:
         - $ref: './common.schema.yaml#/components/parameters/id_value'
@@ -20,4 +21,4 @@ paths:
         '200':
           description: Successful response
         '400':
-          description: Invalid request
+          description: Invalid request

x-pack/plugins/security_solution/common/api/entity_analytics/asset_criticality/get_asset_criticality.schema.yaml

@@ -12,6 +12,7 @@ servers:
 paths:
   /internal/asset_criticality:
     get:
+      operationId: AssetCriticalityGetRecord
       summary: Get Criticality Record
       parameters:
         - $ref: './common.schema.yaml#/components/parameters/id_value'
@@ -26,4 +27,4 @@ paths:
         '400':
           description: Invalid request
         '404':
-          description: Criticality record not found
+          description: Criticality record not found

x-pack/plugins/security_solution/common/api/entity_analytics/asset_criticality/get_asset_criticality_privileges.schema.yaml

@@ -12,6 +12,7 @@ servers:
 paths:
   /internal/asset_criticality/privileges:
     get:
+      operationId: AssetCriticalityGetPrivileges
       summary: Get Asset Criticality Privileges
       responses:
         '200':
@@ -26,4 +27,4 @@ paths:
                     ".asset-criticality.asset-criticality-*":
                       read: true
                       write: false
-                has_all_required: false
+                has_all_required: false

x-pack/plugins/security_solution/common/api/entity_analytics/asset_criticality/get_asset_criticality_status.schema.yaml

@@ -12,6 +12,7 @@ servers:
 paths:
   /internal/asset_criticality/status:
     get:
+      operationId: AssetCriticalityGetStatus
       summary: Get Asset Criticality Status
       responses:
         '200':

x-pack/plugins/security_solution/package.json

@@ -29,4 +29,4 @@
     "openapi:generate:debug": "node --inspect-brk scripts/openapi/generate",
     "openapi:bundle": "node scripts/openapi/bundle"
   }
-}
+}